Experienced trivia windows admin
I always had the desire to write a cycle of posts, where I would gradually explain various interesting trivia and tasks that had to be solved in the daily routine of the system administrator.
Perhaps some of the above will be useful to other sysadmins.
At once I will make a reservation that I have a Windows environment and an Active Directory domain as the source data, with the OS mainly WindowsXP - Server2003. Well, the companies served were mostly small (from 30 to 500 users).
Let's start, perhaps, with the frequently encountered task of determining which of the users for which computer is working.
To solve this problem, various techniques have been tried:
As a result, we " built our lunapark with VBS and users, " and wrote 2 small logon-logo scripts that are run by group policy at the domain level when the user logs in and when they log out, respectively.
')
The explanations on the code are probably not needed, the script is elementary, I’ll tell you only about the pluses of the script, which in my situation significantly outweighed the minuses (which I will also tell you about).
To be continued.
PS Forgot to add. In operation, the system looks like this:
Perhaps some of the above will be useful to other sysadmins.
At once I will make a reservation that I have a Windows environment and an Active Directory domain as the source data, with the OS mainly WindowsXP - Server2003. Well, the companies served were mostly small (from 30 to 500 users).
Let's start, perhaps, with the frequently encountered task of determining which of the users for which computer is working.
To solve this problem, various techniques have been tried:
- naming machines by usernames (tedious. After a couple of months, you start to forget to rename the computer, and the system goes into chaos)
- strict accounting for anyone where you can go somewhere in a separate Excel and installation of rights to logon only on a specific machine, etc. (pure paranoia, was one of the clients. VERY tedious and dreary)
- Using third-party utilities from bginfo and psloggedon from Sysinternals, to all sorts of Hyena and Ideal Administrator (most of them cost money, they do not always work correctly, or are too open, for example, in the case of BgInfo, you’ll see everything on the desktop Maybe it's paranoia - but I don’t want crowds of unknown people in the sales department or at the reception to find out the internal name of the computer, user, IP, etc., just by looking at the screen.
As a result, we " built our lunapark with VBS and users, " and wrote 2 small logon-logo scripts that are run by group policy at the domain level when the user logs in and when they log out, respectively.
')
LOGON-Option
Dim adsinfo, ThisComp, oUser
'
Set adsinfo = CreateObject("adsysteminfo")
Set ThisComp = GetObject("LDAP://" & adsinfo.ComputerName)
Set oUser = GetObject("LDAP://" & adsinfo.UserName)
' AD
' Department ,
Thiscomp.put "Department", "Logged on: " + oUser.cn + " " + CStr(Now)
ThisComp.Setinfo
' Department
oUser.put "Department", "Logged on: " + ThisComp.cn + " " + CStr(Now)
oUser.Setinfo
wscript.quitLOGOFF-Option
Dim adsinfo, ThisComp, oUser
'
Set adsinfo = CreateObject("adsysteminfo")
Set ThisComp = GetObject("LDAP://" & adsinfo.ComputerName)
Set oUser = GetObject("LDAP://" & adsinfo.UserName)
' AD
' Department ,
Thiscomp.put "Department", "Logged off: " + oUser.cn + " " + CStr(Now)
ThisComp.Setinfo
' Department
oUser.put "Department", "Logged off: " + ThisComp.cn + " " + CStr(Now)
oUser.Setinfo
wscript.quitThe explanations on the code are probably not needed, the script is elementary, I’ll tell you only about the pluses of the script, which in my situation significantly outweighed the minuses (which I will also tell you about).
pros
- with such a script, it is enough to configure in AD snap-in the display of one additional column (in our case, department) and you can clearly see where someone is working at the moment, when he logged in there, or if nobody works on the computer - who worked on him last, and when I logged out
- No third-party software is involved, the system load (user login time) increases very slightly
- The presence of old objects of user computers in AD (by the date of the last login) is easily and visually tracked.
- The data is centrally stored in AD and no additional storage (file, folder, database, etc.) is needed. The data is duplicated in the User and Computer objects, i.e. You can track the situation "twice under the same logged on different computers."
- The least used (for us and for all those organizations I worked with) are GENERAL for the objects the user and the computer are the AD fields. This is a plus, because if the fields were different, you would have to add extra columns in the AD snap-in.
- Easily adjust the script to your liking (select other fields for storing data, write additionally to a text file, exclude individual users or computers (for example, terminal servers), etc.)
Minuses
- The history of inputs is not stored, i.e. only current state is recorded. If the history of inputs is needed, then temporarily you can add a few lines of code to write information also in a network file, and if you need it all the time, then it is better to think about another accounting method.
- It is required to issue an additional permission Write \ Modify on the Department field of Computer and User objects in AD for all domain users. The minus in my situation is dubious, but I will not deny it either - it is there.
To be continued.
PS Forgot to add. In operation, the system looks like this:
Source: https://habr.com/ru/post/121801/
All Articles